Re: Host panic in bpf verifier when loading bpf prog in 5.10 stable kernel

[Aaron Lu <ziqianlu@bytedance.com>]

On Tue, Jun 24, 2025 at 11:33:20AM +0100, Greg Kroah-Hartman wrote:
> On Tue, Jun 24, 2025 at 02:41:56PM +0800, Pu Lehui wrote:
> > 
> > 
> > On 2025/6/24 11:52, Aaron Lu wrote:
> > > On Tue, Jun 24, 2025 at 09:32:54AM +0800, Pu Lehui wrote:
> > > > Hi Aaron, Greg,
> > > > 
> > > > Sorry for the late. Just found a fix [0] for this issue, we don't need to
> > > > revert this bugfix series. Hope that will help!
> > > > 
> > > > Link: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=4bb7ea946a37
> > > > [0]
> > > 
> > > I can confirm this also fixed the panic issue on top of 5.10.238.
> > > 
> > > Hi Greg,
> > > 
> > > The cherry pick is not clean but can be trivially fixed. I've appended
> > > the patch I've used for test below for your reference in case you want
> > > to take it and drop that revert series. Thanks.
> > > 
> > > > > From f0e1047ee11e4ab902a413736e4fd4fb32b278c8 Mon Sep 17 00:00:00 2001
> > > From: Andrii Nakryiko <andrii@kernel.org>
> > > Date: Thu, 9 Nov 2023 16:26:37 -0800
> > > Subject: [PATCH] bpf: fix precision backtracking instruction iteration
> > > 
> > > commit 4bb7ea946a370707315ab774432963ce47291946 upstream.
> > > 
> > > Fix an edge case in __mark_chain_precision() which prematurely stops
> > > backtracking instructions in a state if it happens that state's first
> > > and last instruction indexes are the same. This situations doesn't
> > > necessarily mean that there were no instructions simulated in a state,
> > > but rather that we starting from the instruction, jumped around a bit,
> > > and then ended up at the same instruction before checkpointing or
> > > marking precision.
> > > 
> > > To distinguish between these two possible situations, we need to consult
> > > jump history. If it's empty or contain a single record "bridging" parent
> > > state and first instruction of processed state, then we indeed
> > > backtracked all instructions in this state. But if history is not empty,
> > > we are definitely not done yet.
> > > 
> > > Move this logic inside get_prev_insn_idx() to contain it more nicely.
> > > Use -ENOENT return code to denote "we are out of instructions"
> > > situation.
> > > 
> > > This bug was exposed by verifier_loop1.c's bounded_recursion subtest, once
> > > the next fix in this patch set is applied.
> > > 
> > > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> > > Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
> > > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > > Link: https://lore.kernel.org/r/20231110002638.4168352-3-andrii@kernel.org
> > > Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> > 
> > Alright, this patch should target for linux-5.10.y and linux-5.15.y.
> > 
> > And better to add here with the follow tag:
> > 
> > Reported-by: Wei Wei <weiwei.danny@bytedance.com>
> > Closes: https://lore.kernel.org/all/20250605070921.GA3795@bytedance/
> 
> Thanks, I've dropped the reverts and now queued this up.  Let's push out
> a -rc2 and see how that goes through testing...

Thanks Greg.

5.15 stable tree also has this problem and after applying the above
patch to 5.15.185, the problem is also fixed. I appreciate if you can
also queue it for 5.15 stable branch, thanks.